More and more news sites are requiring memberships. More and more programmers are focusing on "front-end" coding. These two trends together make many protected content not at all secure.
We'll examine the steps to access full-length articles on Medscape (www.medscape.com), a poorly constructed medical news site that's owned and operated by WebMD. The "News & Perspective" section is of particular interest.
First let's look at the site's "protection". Click on any news article on the home page - you'll be redirected to a login screen. Each link has the following format:
Medscape came to our attention when one of its articles was indexed in Google News. The link on Google News resulted in the exact URL but somehow there is no login screen. This gives away the first step:
Step 1 - Link from Google News
Open https://news.google.com/. Using the Developer Console in your browser, modify part of the page to include the following link:
<a href="https://www.medscape.com/viewarticle/908090" target=_blank">AAA</a>
The injected link will look like the following:
Click on the link and you'll see the teaser, or the first two paragraphs, of the article:
Step 3 - Reload the MedScape article page
Bingo! We can now see the entire article without ever signing in!
How does this work?
The full article is transmitted but not displayed. Our initial thought was, it would be unwise to use this approach, but what if it's true? So we quickly verified our suspicion but searching phrases in the last teaser paragraph in the HTML source and read on.
Why does this matter?
We don't mean to pick on MedScape or WebMD for that matter. Although the website's content protection is baffling, such practice is quite common. There are three factors that plague this website as well as many others:
Politics - there is an interesting phenomenon that the organization of a physical machine often reflects the human structure of its manufacturer. This is true with software. When a CMS uses client-side code to add or remove content on the fly, it shows that certain features were added as an after-thought. Probably the signing flow is considered a visual feature and implemented by a front-end developer. The very notion of front- and back-end developer creates an unnatural divide. In comparison, we at Antradar train developers to understand the full transaction flow. There can be front- and back-end focus but the developers are not disconnected.
Talent Pool - there are many server-side, or "back-end" developers around. But they aren't the first point of contact. The "managing firms", often creative agencies, are fiercely competing on the looks department. This puts graphic designers, and designer-derived "front-end" developers on the front line.
A word on fair charge
How much does a MedScape membership cost? We don't know. It could even be free but that's beyond the point. There is an intrinsic expense a user has to pay when they go through the hassle of signing up.
Imagine filling out a lengthy survey form and giving away much of your personal contact, and having to deal with incessant sales calls for months to come, just to find out that "free article" download is a static link. How is this fair to registered users?